Overview
If your organisation has many users with access to Sysarb — typically through Involve or Pay Management — keeping user access up to date manually can quickly become unmanageable. Every hire, role change, or departure requires a manual update in Sysarb, and the risk of access being incorrect or outdated grows with the size of your organisation.
To solve this, Sysarb supports automated user and role provisioning based on the open standard SCIM (System for Cross-domain Identity Management). With SCIM, your Identity Provider (IdP) — such as Microsoft Entra, Okta, or Google Workspace — becomes the single source of truth for who has access to Sysarb and with which role. Changes in your IdP are automatically reflected in Sysarb, without any manual intervention.
Sysarb's SCIM implementation follows the SCIM 2.0 protocol (RFC 7643 / RFC 7644) and is compatible with any SCIM 2.0-compliant IdP.
For organisations with few users or infrequent access changes, manual user management may still be the simpler option — see create a user, create extended roles, and link or disable a manager.
This guide covers three SCIM scenarios. The right scenario depends on your IdP setup and your organisation's technical capability.
Note: This guide is intended for both HR/business and IT/IAM resources. HR defines the role mapping and access logic; IT handles the technical configuration in the IdP. For full technical specifications — including API endpoints, attribute schemas, and request/response formats — see the SCIM API Technical Reference.
Which scenario applies to you?
SCIM: User provisioning only | Automated via IdP | Manual (Sysarb) | Organisations that want automated user lifecycle management but prefer to manage role assignments manually in Sysarb, without using SCIM groups |
SCIM: User and role provisioning (manual mapping) | Automated via IdP | Manual per SCIM group (Sysarb) | Organisations with an IdP supporting SCIM and SSO, where SCIM groups are provisioned from the IdP and role mapping is done manually per SCIM group in Sysarb |
Extended SCIM: User and role provisioning (automated mapping) | Automated via IdP | Automated via IdP | Organisations with an IdP supporting SCIM and SSO, and the ability to configure SCIM groups with structured role and org unit attributes |
Extended SCIM: User and role provisioning (automated mapping) is the recommended target state — it requires more initial setup effort but the least ongoing administration once in place.
SCIM: User provisioning only is suited for organisations that need automated user lifecycle management but are not ready to delegate role assignment to the IdP. If this applies to your situation, contact your Sysarb customer success contact to discuss setup.
Prerequisites
Before starting the setup in Sysarb, make sure the following is in place:
SSO: Single Sign-On is activated. SCIM is strongly recommended to be combined with SSO. See our SSO Setup Guide for instructions.
Identity Provider: You have an IdP (e.g. Microsoft Entra, Okta, Google Workspace) that supports the SCIM 2.0 protocol
Consistency with main integration/import: Users in your IdP must be identified by the same email address used in the Sysarb data import. SCIM uses email to link provisioned users to existing employee records — a mismatch will result in unlinked users
Note: It is your IdP — not your HRIS — that needs to support SCIM and push users and roles to Sysarb. The two data flows must be consistent: email addresses and org unit identifiers must match between your HRIS import and your IdP setup, otherwise users may not be correctly connected to their employee records.
Additional prerequisite for Extended SCIM only:
SCIM groups in your IdP must be configured with the following structured attributes, using the SCIM Enterprise Group Extension schema:
role— a numeric role value identifying which Sysarb role to assign (e.g."50"for Manager). For the full list of valid role codes, see the SCIM API Technical Reference.unitNumber— the org node identifier matching the unit number used in your Sysarb data import
SCIM group names in the IdP are flexible — Sysarb reads the structured attributes, not the name.
Consistency with main integration/import: The
unitNumbervalues in your SCIM groups must match the org unit identifiers used in your Sysarb data import. A mismatch will result in a provisioning error and no role assignment will be saved.
Tip: Configuring the SCIM group structure requires input from two separate functions. HR defines the business logic — which roles should exist in Sysarb and who should hold them in which part of the organisation. IT / IAM then translates this into a SCIM group structure the IdP can implement and Sysarb can consume. Complete and document the HR decision before involving IT. Contact your Sysarb customer success contact if you need help thinking through the mapping.
Setup steps
The steps below cover SCIM: User and role provisioning (manual mapping) and Extended SCIM: User and role provisioning (automated mapping). If your organisation is setting up SCIM: User provisioning only, contact your Sysarb customer success contact — that scenario is handled on a case-by-case basis and is not covered here.
Setup is done in Sysarb under Settings → System → User provisioning (SCIM).
Step 1 — Verify prerequisites
Before proceeding, confirm that all prerequisites are in place. See the Prerequisites section above for details.
Main integration is active and employee records in Sysarb include email addresses
SSO is activated
If any of these are not yet in place, complete them before continuing.
Step 2 — Review role access
Under Settings → System → Role access, you can toggle access on or off per role. By default, all roles have access enabled. Once SCIM is activated, any employee with an assigned role will be able to log in to Sysarb.
If you want to verify that role provisioning is correct before users gain access, disable the relevant roles here before activating SCIM. Re-enable them once you have confirmed the setup is as expected.
Available roles in Sysarb include: Employee, Manager, Section manager, HR Business Partner, Operational administrator, Read-only, and Union. For a full overview of what each role can access, see Roles — who can do what.
Step 3 — Configure your IdP
This step involves both HR and IT. If you followed the preparation recommended in the Tip above, HR has already defined the role mapping and IT can now implement it. If that groundwork has not been done, do it before proceeding — IT cannot configure the SCIM group structure without knowing the intended role mapping.
Work with your IT-support or IAM responsible to configure your IdP to send user and SCIM group data to Sysarb based on the agreed role mapping.
What Sysarb requires from your IdP:
Users and SCIM groups are pushed to Sysarb via the SCIM 2.0 protocol
Each user must have a unique email address that matches the one used in your Sysarb data import and SSO login
SCIM groups must be structured as described in the prerequisites above — for Extended SCIM, SCIM groups must include the
roleandunitNumberattributes using the Enterprise Group Extension schema
Share the following details from Sysarb with the person configuring your IdP (see Step 4).
Step 4 — Provide SCIM configuration details to your IT/IAM resource
In Sysarb, navigate to Settings → System → User provisioning (SCIM) and copy the following:
Base URL | |
API key | Shown in the SCIM configuration dialog — click Regenerate if a new key is needed |
Your IT/IAM resource enters these details into your IdP to establish the connection. The API key is used as a Bearer token for authentication.
Important: User provisioning becomes active as soon as the API key is accepted by the IdP and the IdP begins pushing data — users will be created, updated, or deactivated in Sysarb from this point. Role provisioning is a separate step: SCIM group data is received and stored, but role assignments are not applied until you explicitly activate role provisioning in Step 6. The Employee role is not assigned via role provisioning; it is assigned automatically the first time a user logs in, provided the user is linked to an employee record.
Note on unlinked users: If a user is provisioned by the IdP before a matching employee record exists in Sysarb (based on email address), the user is created in an unlinked state. Sysarb will attempt to link the user to the corresponding employee record in a scheduled recurring job. Ensure employee records in Sysarb have email addresses populated before activating SCIM.
Step 5 — Assign role and organisation to provisioned SCIM groups
Once the IdP is configured and SCIM groups are being pushed to Sysarb, navigate to Settings → System → User provisioning (SCIM). A table will appear listing all provisioned SCIM groups with columns for Group ID, Group name, Users, Role, and Organisation. (TBD: column name "Users" to be confirmed — UI update pending)
Manual mapping: Assign Role and Organisation manually to each SCIM group using the dropdown menus in the table. You can assign SCIM groups one by one, or select multiple SCIM groups using the checkboxes and use the bulk action bar at the bottom (Edit role / Edit organisation) to assign the same value to several SCIM groups at once. You can search and filter by Group ID, Group name, Role, or Organisation to navigate large lists.
Click on the user count in any row to see a read-only list of users in that SCIM group. Where a user has been linked to an employee record, their position title is also shown.
Automated mapping: Role and Organisation are assigned automatically based on the role and unitNumber attributes in the SCIM group. Rows where data has been provided by the SCIM solution are read-only. Rows where data has not yet been provided can be edited manually.
Note: If a SCIM group's unitNumber does not match any organisation node in Sysarb, or if the role value does not match a valid Sysarb role, the IdP will receive an error and no user or role update from that call will be saved. Review your SCIM group attributes if you see provisioning errors.
All SCIM groups that are intended for role assignment must have a role and organisation assigned before activation. Groups used only for user provisioning (e.g. an all-users group) do not need to be assigned a role and can be left unmapped. A banner at the bottom of the page will confirm when all relevant SCIM groups are ready and prompt you to activate.
Step 6 — Activate role provisioning
When all SCIM groups have been assigned a role and organisation, click Activate role provisioning. A confirmation dialog will appear:
Activating role provisioning will do the following: 1. Remove all existing roles in Sysarb — all roles will now be managed via user & role provisioning. 2. Create the assigned roles for the groups and users. 3. All employees will be given access to Sysarb unless you have blocked access for specific roles.
⚠️ If you have existing users in Sysarb, activating role provisioning will remove all current role assignments. Work through this guide carefully and ensure your role setup is complete and verified before activating. Your customer success contact will coordinate any necessary access re-assignment before activation.
⚠️ Make sure you have at least assigned role and organisation to your administrators before activating, to avoid locking yourself out.
Check the confirmation box and click Activate role provisioning to proceed. The status indicators at the top of the page will update to show Active user provisioning and Active role provisioning.
Note: Once SCIM is active, user management tasks (create, update, delete) are locked in the Sysarb UI and must be managed via the IdP.
What happens when things change
Once SCIM is active, here is how common HR events are handled:
New hire (no role) | User created via SCIM; linked to employee record via email address. Employee role assigned automatically on first login. | Same as Extended SCIM |
New hire (with role) | Role assigned automatically via SCIM group attributes in IdP | User inherits role based on current SCIM group setup in IdP; if entirely new team, a new SCIM group must first be created in IdP and then assigned in Sysarb |
Employee changes org unit | Handled through data import — SCIM unaffected | Same as Extended SCIM |
Employee changes role | SCIM group membership updated in IdP and synced via SCIM | SCIM group membership updated in IdP; if new SCIM group, admin must assign role + org in Sysarb before it takes effect |
Termination | Employee inactivated via import; user deactivated or deleted in IdP and synced via SCIM | Same as Extended SCIM |
Org structure change | Changes imported via HRIS; reflected in SCIM only if org unit identifiers are consistent | Changes imported via HRIS; new nodes require manual assignment in Sysarb |
Note on org structure changes: All org structure changes require pre-testing. A changed parent node in particular carries risk — consult your Sysarb contact before making structural changes if you are unsure of the impact.
Note on timing: Employee data (org, role) is updated via the HRIS import on a schedule. If a SCIM event and an import are not aligned in timing, there may be a brief delay before changes are fully reflected. Consider this when planning onboarding or role changes.
Please note
All-or-nothing role provisioning. When role provisioning is activated, all existing role assignments are removed and replaced by roles derived from SCIM group data. It is not possible to have SCIM manage some roles while others are managed manually within the same tenant.
Manager and Deputy Manager roles. SCIM cannot differentiate between Manager and Deputy Manager when multiple people are assigned to the same SCIM group. If more than one person is in a SCIM group mapped to the Manager role, all members will be treated as Deputy Managers. As a result, SCIM is not recommended for customers using Pay Management who rely on the Deputy Manager role. If this applies to your organisation, contact your Sysarb customer success contact before proceeding.
Reverting from Extended SCIM (automated mapping) to manual mapping. Reverting requires manual re-assignment of role and organisation for all SCIM groups in Sysarb. Contact Sysarb support if you need to do this.
After activation
Once active, the SCIM page displays a table of all provisioned SCIM groups with their assigned roles and organisations, and a counter showing assigned roles vs. total (e.g. 14/14).
From the menu (⋮) in the top right you can access:
SCIM configuration — view the base URL and API key. For security reasons the current key is not shown in full. Click Regenerate to create a new one if needed, then update it in your IdP.
Activate role provisioning — visible before role provisioning is active
Deactivate role provisioning — role assignment via SCIM is disabled. Existing role assignments are preserved. Any new users provisioned after deactivation will only receive the Employee role on first login — no other roles will be applied until role management is handled manually. Note: user lifecycle (create, update, deactivate) continues to be managed via the IdP even after role provisioning is deactivated.
Delete SCIM integration — removes the integration entirely: the API key is deleted, no further updates are received from the IdP, and all users and roles must be managed manually going forward. All existing users and roles remain.
Responsibilities overview
SSO setup | Customer IT / IAM | IdP provider |
Role mapping definition (who gets which role in which org unit) | Customer HR / business | Sysarb support or customer success |
IdP SCIM configuration and SCIM group structure | Customer IT / IAM | IdP provider |
SCIM setup in Sysarb UI (steps 1–6) | Customer | Sysarb support or customer success |
SCIM group-to-role mapping in Sysarb (manual mapping) | Customer HR / business | Sysarb support or customer success |
Ongoing SCIM group maintenance | Customer IT / IAM | Sysarb support or customer success |
Troubleshooting
User not provisioned | SCIM group not pushed from IdP | Check SCIM group assignment and sync status in your IdP |
Wrong role or org unit assignment | SCIM group attributes incorrect | Review |
Provisioning error returned to IdP |
| Verify that |
Duplicate user records | Email mismatch between IdP and existing Sysarb users | Align email addresses before enabling SCIM |
User not deactivated on offboarding | User not removed from SCIM group in IdP | Review offboarding process in IdP |
All roles removed unexpectedly | Role provisioning activated before all SCIM groups were mapped | Deactivate role provisioning, remap SCIM groups, then reactivate |
Role not updating after org structure change | Org unit identifiers inconsistent between import and SCIM groups | Verify that |
Cannot revert from automated to manual mapping | SCIM groups read-only when Extended SCIM data is present | Contact Sysarb support for re-assignment assistance |
Support
Reach Sysarb at [email protected] or directly in the interface. If you are in an active implementation, your customer success contact is also available to help.